Blog :: Configuration

Barracuda IPFIX Configuration

The Barracuda IPFIX configuration is very easy, and the subsequent flow exports offer network administrators enhanced visibility into the traffic moving in and out of highly dynamic, and security-critical network environments.Barracuda - Advanced Threat Detection

The Barracuda NG Firewall gives administrators granular control over applications and data streams, allowing them to define rules for forwarding data traffic using the best respective transmission channels based on things like the type of application, user, content, time of day, and geographical location.

The good news is that this data can all be exported via IPFIX.

Barracuda IPFIX reporting provides excellent visibility into not only the traffic traversing the network through the firewall but insight into traffic patterns in regards to network security and incident response.

Let’s take a look at how to get IPFIX configured.

Step 1. Enable and Configure IPFIX

  1. Log into the Barracuda firewall and go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > General Firewall Configuration.
  2. In the left menu, select Audit and Reporting.
  3. If you want to stream via TCP/SSL, select Switch to Advanced View from the Configuration Mode menu.
  4. Click Lock.
  5. In the IPFIX Streaming section, set Enable IPFIX/Netflow to yes.
  6. (optional) Set Enable intermediate report to yes.
  7. (optional) Enter the IPFIX reporting interval for intermediate reports in minutes.
  8. Choose an IPFIX Template:
    • Default – Includes basic data. This is the default template used in firmware version 5.4.X.
    • Extended – Includes all data from the default template plus octetDeltaCount, packetDeltaCount, reverseOctetDeltaCount, reversePacketDeltaCount and firewallEvent.
  9. Click + next to Collectors to add aIPFIX/Netflow collector.
    1. Enter a Name for the collector settings and click OK. The Collectors window opens.
    2. Select the protocol from the Export Mode list. Because IPFIX data streams may contain confidential data, it is recommended that you select TCP/SSL.
    3. If you are using TCP/SSL, configure the SSL certificate settings.
    4. Enter the Collector IP.
    5. Enter the Collector Port.
    6. Select the Byte order for data. Default: BigEndian
  10. Enter the Collector IP and Collector Port of the IPFIX collector.
  11. Click OK.
  12. Click Send Changes and Activate.

You must also create a PASS host firewall rule to allow traffic between the Barracuda NG Firewall and the IPFIX collector.

Step 2. Enable HTTP Proxy Access Log Streaming via IPFIX

After you configure IPFIX streaming, you can enable the Barracuda NG Firewall to stream HTTP proxy access log data via IPFIX.

  1. Go to CONFIGURATION > Full Configuration > Box > Virtual Servers > your virtual server > Assigned Services > HTTP-Proxy > HTT Proxy Settings.
  2. From the Configuration Mode menu, select Switch to Advanced View.
  3. Click Lock.
  4. In the Log Settings section, set IPFIX Streaming to yes.
  5. Click Send Changes and Activate.

There is some additional information about the NG Firewall and IPFIX configuration on the Barracuda IPFIX configuration page.

Now let’s talk about network security, in general, and the benefits of using IPFIX.

We all know that enterprise networks are facing ever-increasing security threats from worms, port scans, DDoS, and network misuse. And Barracuda Networks undoubtedly provides an efficient monitoring solution that quickly detects these activities. But Barracuda, as with most firewall and intrusion detection systems (IDS), are deployed at the edge of the network.

Today, security forensics using IPFIX to monitor communication behaviors and even maintaining baselines is becoming more prevalent. By collecting flows representing all of the conversations traversing the network, you gain visibility into suspect conversations coming in and out of your network, as well as moving laterally inside. When the signatures in the IDS/IPS fail to catch malware, NetFlow and IPFIX can recognize enough odd behaviors to identify an infection. Collecting flows from all devices (e.g. firewalls, routers, and switches) on your network essentially turns each device into a security probe and provides a significant additional security layer to your network intrusion prevention solution.

There is no silver bullet for security detection on large network infrastructure; however, with NetFlow and IPFIX we can attain further insight into the traffic crossing your entire network — and make it run better.

The right analysis tool provides proactive detection of network infrastructure security events, minimizing the time and labor involved in locating and resolving problems.

Do you want to learn how you can turn your network traffic into a valuable security tool?